Skip to content

Commit

Permalink
feat: Use customer's certificate signed by CA (#291)
Browse files Browse the repository at this point in the history
* added secret with predefined customer's certificates and private key

* documentation: added secret with predefined customer's certificates and private key

* update according to comments

* remove jenkins-x-vault name with suffix

Co-authored-by: Andriy Pentsak <[email protected]>
  • Loading branch information
apentsak-vitech and AndrewPentsak authored Aug 13, 2021
1 parent b10a2bb commit 63feaaa
Show file tree
Hide file tree
Showing 10 changed files with 107 additions and 0 deletions.
18 changes: 18 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,8 @@ The following sections provide a full list of configuration in- and output varia
| subdomain | The subdomain to be added to the apex domain. If subdomain is set, it will be appended to the apex domain in `jx-requirements-eks.yml` file | `string` | `""` | no |
| subnets | The subnet ids to create EKS cluster in if create\_vpc is false | `list(string)` | `[]` | no |
| tls\_email | The email to register the LetsEncrypt certificate with. Added to the `jx-requirements.yml` file | `string` | `""` | no |
| tls\_key | The customer's private key that he got from some CA. It could be as base64 encrypted content or path to file. | `string` | `""` | no |
| tls\_cert | The customer's certificate that he got from some CA. It could be as base64 encrypted content or path to file. | `string` | `""` | no |
| use\_asm | Flag to specify if AWS Secrets manager is being used | `bool` | `false` | no |
| use\_kms\_s3 | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no |
| use\_vault | Flag to control vault resource creation | `bool` | `true` | no |
Expand Down Expand Up @@ -407,6 +409,22 @@ You can choose to use the `production` environment with the `production_letsencr

You need to provide a valid email to register your domain in LetsEncrypt with `tls_email`.

### Customer's CA certificates

Customer has got signed certificates from CA and want to use it instead of LetsEncrypt certificates. Terraform creates k8s `tls-ingress-certificates-ca` secret with `tls_key` and `tls_cert` in `default` namespace.
User should define:
```
enable_external_dns = true
apex_domain = "office.com"
subdomain = "subdomain"
enable_tls = true
tls_email = "[email protected]"
// Signed Certificate must match the domain: *.subdomain.office.com
tls_cert = "/opt/CA/cert.crt"
tls_key = "LS0tLS1C....BLRVktLS0tLQo="
```

### Velero Backups

This module can set up the resources required for running backups with Velero on your cluster by setting the flag `enable_backup` to `true`.
Expand Down
13 changes: 13 additions & 0 deletions examples/customers_certificate/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
module "eks-jx" {
source = "jenkins-x/eks-jx/aws"

enable_external_dns = true
apex_domain = "office.com"
subdomain = "subdomain"
enable_tls = true
tls_email = "[email protected]"

// Signed Certificate must match the domain: *.subdomain.office.com
tls_cert = var.tls_cert
tls_key = var.tls_key
}
4 changes: 4 additions & 0 deletions examples/customers_certificate/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "jx_requirements" {
value = module.eks-jx.jx_requirements
description = "The templated jx-requirements.yml"
}
18 changes: 18 additions & 0 deletions examples/customers_certificate/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
// -----------------------------
// Customer's Certificates
// -----------------------------
//
// tls_key and tls_cert can be as path to file or base64-encrypted content
//

variable "tls_key" {
description = "Path to TLS key or base64-encrypted content"
type = string
default = "/opt/cert_ca/private.key"
}

variable "tls_cert" {
description = "Path to TLS certificate or base64-encrypted content"
type = string
default = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVIakNDQWdZQ0ZHWDBOZWVTbXpSaTRYSEtmL1VWMVlPcjdQUStNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1FVXgKQ3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbApjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3SGhjTk1qRXdPREV5TURjek9ERXhXaGNOTWpJeE1qSTFNRGN6Ck9ERXhXakJTTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RlRBVEJnTlZCQW9NREU5bVptbGoKWlN3Z1NXNWpMakVmTUIwR0ExVUVBd3dXS2k1emRXSmtiMjFoYVc0dWIyWm1hV05sTG1OdmJUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLL0JYdXZKREhrM20xektzWFJHcTJQOFAwdURZeEVHCnB6bXV2RTlXNENCRXJiVi9NdzE2N3puMzB0T3Z4NTNxSjZwazFPMW1ReDRjSFFQbmNTYSt1T1M0LzhHdllzcnIKT1hOZWp4ZVRiUE9mNDNveUQ4bS9vT0J3K0xrc3ZjbWVsR0RZWnlRVmdGZk9DbTdsVEVCUG5zRG4xK0VYdlpQWQpjL3lMeDJmZ1BWTC91Z2FFN2hqL2V0VVhEemdrZGs4di9ZcWp2MVltQlcvaUxuN1A4bFZyRklHNDZ1TmZYcDdZCmUxcWZMZTZPRGE3NEhMTmVOMEFreGlnV1pVZHRTeHI4dk9iQS90VFhCQWR3UmJhY3RONVdhVllXWVJ0YzRrN08KUFBWSDQzQ2gwU3dCQWVwOWdHb2tGbzBSWkY2dmRScHp5SWdmTUsrNVVFM0lGLzRRUHh2c3F6TUNBd0VBQVRBTgpCZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFubktjWVlOU0VGeUZXalNTcHZuKy8vd1I4dWpNakZjTnNLaDhiNjNWCklEWTIvWnpYdkZQWHpoZXpKYm9JNjB2ejJaazYxcmpuU2xBcVlDQ3BmYmwzRFBuNDZwa0plREdraFAwNElRQVUKeXRxcUNaT0p5SlBIdmJraTVRWTBsVmlaMnIxdFR2K2tZSE14YS9odFpDd3hiSHhsd1ZwRDZESjRDZTZCVHBJSAplbVNRRkpWY3dZbVB6bzVpeVR4YmoxelNCbmFpYTlKdXR0ampSZU5iMXZFY1RmdWErUVdKNE9sclh6anNTcEVwCkI4UTBWSjN4VmN1WjBSRk1tQTJEQ1pJemYxWWh3c05ObVRVdzUvUXlSbldEekdsM2tlQlFDNWR2Mkx0QS84TjkKNUxwdXI2RUEvMi93ZVJoMmx4V0FtbW84SnBWRW1PcHZmNG4yUURablp6SGtwMURHZVdUZ0JNMWVVNVBxWjlCVAp3KzNtcE9IYzZGOEF1Vk9iTnVUMXBmbEtNcG5BbEszZmFmL2hYdUdGcXhwUnlLOHkySC9DSDNYNVMxQitxdHhaCm0vOUt4L2V5QUVHenVHNVVhbmRnWWtWbWd2RkVCa1lONDkzcTNmT3hPM01IaFFHNStDOGFzdXVRZGxXWUxwd0YKVUZjU2ZEQ1Q1dExNNzNXd3RCbXUwQ0RtNjRIUnh6ZGJGY3ZqcGc0S1VnMGhOVDRHNDFTS2FZVkhnL3NuWG1QcQpQUmQ3OG54VzVPc1JxdlJIUThvNThTc1NCMldEelNNREhQMlhpemtIUGxUN3lVSmtFWVozMlNydC9OTDZGQXFwCmxSM1RXeEYrZHN0RWVJTFJUeWtHSHp3M3ZrRlFzZzBmc3UwUXRHVDl1WVpBVnNnMVpIRTY0WmM2TzNBNE4rbjEKM2tBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGYXpDQ0ExT2dBd0lCQWdJVUdBTUVZUEVuV2p5Z0RRWVUrY2ZxcWgwSm9Ta3dEUVlKS29aSWh2Y05BUUVMCkJRQXdSVEVMTUFrR0ExVUVCaE1DUVZVeEV6QVJCZ05WQkFnTUNsTnZiV1V0VTNSaGRHVXhJVEFmQmdOVkJBb00KR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREFlRncweU1UQTRNVEl3TnpNMU1UbGFGdzB5TkRBMgpNREV3TnpNMU1UbGFNRVV4Q3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3Ckh3WURWUVFLREJoSmJuUmxjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3Z2dJaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUUN0VXlQUWZOUEhvZWlWZjlSUkVjc25zUm1PMC94dTlra0xOcTlJbUhMSApSZmdFSWRRdnVEclJoYjZUc3NlcjkrL0FsSG5BbEtqRjVPajNwL0RramR4OW04dEhkL3JtYzRFWFBMS1ZBYnBmCkFIazVueE1jODRwaldCRmxyTVhaK2pqNjV2ZXdtYXEzT2IyZW5jc3lmbDZUdElaUnQzdVB6UVhZZFd6VndraGoKSUFwK3o0VGpVdkNNZ0RjU2pEVEFxc1hCTlI2b05JVThnUnpxd2dKNnF5U2E1U2tuU1ZoaS9FdFdJTjRKRTVmaQozek5WaUFETjJubkVWSXI5RlZYckZUd2hMamlZYVdNNWNKT2JDTHB6aE5LSFFuNmhjOVNrZ3Iwb1I0c1JwVFZBCkFVeWkzSGI1ODlEc0lDZnU2ZXl4MG9mL3Z6eHFUSXB6Y09FTUYvTHBSYVVKUHJvMG1qSHJsUWlXVGFoMVFnRXoKeUpzUkpHSjJLZ25mQ25YTC9WaThVZ09INEhrVTRvdDNSZnlmVjhJZDVDdHBrZGJwT3NGeWxlWU16dHVzZjZ3bwpldXJqQkJKeUJwcVZNci8xZlZBeG94T083UWlZVDNqOVh6WExaQ1R3NDVONzZIUlBOb2VXRElpRmM0M1N1aVVuCjBtM0lIclRnRGVLK1pvTnpqMzVhR3pxbDZKSGhBQmh6di9IelZmRC9vd0hrSSszbmpFZHl5dXlodHNwc0hlREYKNUFUWDNDRDZxSFhjQ0ZkY2hiNWlyMGFOdnlBdmJPYVZlT3QyWEdUaFRjcGQ4WDFYZHZSVUswTG5Ga1licUtrWgpzaElPdzZFK3VWVEhXNDdQYlg5ZjRPSllJdDdlNlo4K1gxL3RsQmRWdGI3VGZVeExZZnBGRytTUDNRZ2d4NXUyCkVRSURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVWNFpHdVFwRk41cEJRckFoTjEyb0JUa3J5K0l3SHdZRFZSMGoKQkJnd0ZvQVVWNFpHdVFwRk41cEJRckFoTjEyb0JUa3J5K0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQWdFQVdGTzNra2h6UnRhSG9FVEx3NUJ0RnQyV3prdHhPYUVCSUIrMHQ5YTR3SHd1ClUyQ0pxaElJSGhVR0JOaFhFaVNDODRzMkM1Z1F1UzJzSmxGMTU3RjVqNzVMbktlRXQ4NTlFeVBlRzc0eFVTOVkKWU1qSjMrYmljNGczZnhIcUZ0OFZVUm1RNmx4bTVINmxxVng3eW9ZYjRSWlBRamhySTd5b2tUVnlFTmdpRXdsNAorbVBDUWt4S1FOVC8wSFZrVDFQbDlWclcvTTZvck1rek56L2hDR2RqaUYvVmN6ekkrN1l4REdrclcvS2ZFT1E2CjZOdFRHdVpPajJHMWJyUjQ0QnZsN0VUWVFxU1gwaHhLSjVpbVhjNDhScW0yRHVTTXBZa0ZDQ1IrSkovNlM3cFYKUXVGOFdrL0lFbHlzSVJDV25pWWwxclRhOWE5bEttRlN0Z1R0ajVMcWh2TVhrbkhmdjdKb3ZRUFFESWhoMzF5WQpUOWorbC9GWW5pYlRvRWNuWFpHUDVXL1BCOHNWYTdTQjQzSnJ0b2YwaEVhL2c0YVVBcTJmVXBuVGZRRmhMdEc0Cm4vY3ZJY3lGbHFrb1NBVElzcEc5V04zOUVudGNuUWU2eU0zc1NGQjJuejd5bUZiRDU4WXVaOEVLY2NUYTIwY3oKZlpkemxpeDNrY1VJTmpGajVwUFRsR2UxVUlLVnJLQnozelJCaWIzRzM0ZkVqeVVybXJzWUpQR2dNdktKTnRzYQpGaWtOR1FLOGQ4SXUrZGNFRWFoUWFsNmdSZkk1cW9aZy9CTGw3bzFGRzhDVGVueEhPQ1NEYjFxQnJNQ3ZPMXY1CklZMzBUaFRzR0ljUmFRTHNXMG50S3BRZlFoT3d2TzZybzNSU0U0K3FkUFQxK3kwaGRvZzFCam1qOUVSTDBSST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
}
3 changes: 3 additions & 0 deletions local.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ locals {
external_vault = var.vault_url != "" ? true : false
registry = var.registry != "" ? var.registry : "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com"
project = data.aws_caller_identity.current.account_id
tls_secret_name = var.tls_key == "" || var.tls_cert == "" ? "" : "tls-ingress-certificates-ca"

// ----------------------------------------------------------------------------
// Let's generate jx-requirements.yml
// ----------------------------------------------------------------------------
Expand Down Expand Up @@ -36,6 +38,7 @@ locals {
velero_schedule = var.velero_schedule
velero_ttl = var.velero_ttl
// DNS
tls_secret_name = local.tls_secret_name
enable_external_dns = var.enable_external_dns
domain = module.dns.domain
enable_tls = var.enable_tls
Expand Down
2 changes: 2 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,8 @@ module "cluster" {
create_ssm_role = var.create_ssm_role
create_tekton_role = var.create_tekton_role
additional_tekton_role_policy_arns = var.additional_tekton_role_policy_arns
tls_cert = var.tls_cert
tls_key = var.tls_key
}

// ----------------------------------------------------------------------------
Expand Down
18 changes: 18 additions & 0 deletions modules/cluster/custom_cert.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
resource "kubernetes_secret" "tls" {
count = var.tls_key == "" || var.tls_cert == "" ? 0 : 1
metadata {
name = "tls-ingress-certificates-ca"
namespace = "default"
}

data = {
"tls.crt" = try(file(var.tls_cert), base64decode(var.tls_cert))
"tls.key" = try(file(var.tls_key), base64decode(var.tls_key))
}

type = "kubernetes.io/tls"

depends_on = [
module.eks
]
}
15 changes: 15 additions & 0 deletions modules/cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -385,3 +385,18 @@ variable "additional_tekton_role_policy_arns" {
type = list(string)
default = []
}

// ----------------------------------------------------------------------------
// Customer's Certificates
// ----------------------------------------------------------------------------
variable "tls_key" {
description = "Path to TLS key or base64-encrypted content"
type = string
default = ""
}

variable "tls_cert" {
description = "Path to TLS certificate or base64-encrypted content"
type = string
default = ""
}
1 change: 1 addition & 0 deletions templates/jx-requirements.yml.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ ingress:
email: "${tls_email}"
enabled: ${enable_tls}
production: ${use_production_letsencrypt}
%{ if tls_secret_name != ""}secretName: ${tls_secret_name}%{ endif }
kaniko: true
%{ if use_vault }
secretStorage: vault
Expand Down
15 changes: 15 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -559,6 +559,21 @@ variable "additional_tekton_role_policy_arns" {
default = []
}

// ----------------------------------------------------------------------------
// Customer's Certificates
// ----------------------------------------------------------------------------
variable "tls_key" {
description = "TLS key encrypted with Base64"
type = string
default = ""
}

variable "tls_cert" {
description = "TLS certificate encrypted with Base64"
type = string
default = ""
}

variable "create_nginx" {
default = false
type = bool
Expand Down

0 comments on commit 63feaaa

Please sign in to comment.